1. Introduction

Welcome to Arca. This Privacy Policy explains how GRE Development Ltd ("we", "us", "our", or "Arca") collects, uses, stores, and protects your personal information when you use our task management desktop application and related services.

By using Arca, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

2. Data Controller

The data controller responsible for your personal information is:

• GRE Development Ltd.
• Address: 7 Coronation Road, London, United Kingdom, NW10 7PQ
• Email: [email protected]

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

• Full name
• Email address
• Password (stored using industry-standard encryption — we never store plain text passwords)
• Profile information you choose to provide

3.2 OAuth Authentication Data

If you choose to sign in with Google, we collect:

• Email address and name from your Google account
• Profile picture URL
• OAuth access and refresh tokens (encrypted and stored securely)
• Google account ID

3.3 Workspace and Task Data

As you use Arca to manage your work, we store:

• Workspaces, folders, lists, and tasks you create
• Task details (titles, descriptions, priorities, statuses, due dates, start dates)
• Comments, reactions, and @mentions
• Task attachments and files (stored securely in private cloud storage)
• Custom labels, statuses, and views
• Activity logs and edit history
• Team member assignments and roles
• Notification preferences and subscriptions

3.4 Integration Data

If you connect third-party services to Arca:

• Google Calendar: Read-only access to your calendar events (with your explicit consent). We cache event data temporarily to display it in Arca’s calendar view.

3.5 Billing Information

When you upgrade to a paid plan:

• Stripe customer ID (generated by Stripe)
• Subscription status, plan type, and billing interval
• Payment history and invoices (processed and stored by Stripe — we do not store credit card details)

3.6 Technical and Usage Data

To provide and improve our services, we automatically collect:

• Device information (device name, operating system) for session tracking
• IP address (for security, fraud prevention, and rate limiting)
• Session authentication tokens with automatic expiration
• Login timestamps and session activity
• Connection data for real-time collaboration features

We may use third-party analytics tools in the future to understand how users interact with Arca. If we do, we will update this policy and provide options to opt out.

3.7 Email Verification and Security

For account security:

• One-time passwords (OTP) sent via email for registration and password reset (securely hashed and expire after a short time period)
• Email validation via fraud prevention service (to detect disposable email addresses and prevent abuse)

4. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Authenticate your identity and maintain session security
• Provide task management, collaboration, and workspace features
• Display real-time online presence and activity updates
• Process payments and manage subscriptions
• Send transactional emails (OTP codes, password resets, workspace invitations)
• Send optional marketing communications (with your consent, which you can withdraw at any time)
• Sync your Google Calendar events (if you enable the integration)
• Enforce plan limits and billing policies
• Prevent fraud, spam, and abuse
• Comply with legal obligations and enforce our Terms of Service
• Improve and optimize our services
• Respond to support requests and technical issues

We do not sell your personal information to third parties.

5. Third-Party Services and Data Sharing

We use the following trusted third-party services to operate Arca. Each service has its own privacy policy and data handling practices:

5.1 Google (OAuth and Calendar Integration)

• Purpose: User authentication (Google Sign-In) and optional calendar synchronization
• Data shared: Email, name, profile picture, OAuth tokens, calendar events (read-only)
• Privacy Policy: https://policies.google.com/privacy

5.2 Stripe

• Purpose: Payment processing and subscription management
• Data shared: Email, name, billing information, subscription details
• Privacy Policy: https://stripe.com/privacy

5.3 Brevo (Sendinblue)

• Purpose: Transactional email delivery (OTP codes, password resets, notifications)
• Data shared: Email address, name
• Privacy Policy: https://www.brevo.com/legal/privacypolicy/

5.4 Cloudflare R2

• Purpose: Secure file storage for task attachments
• Data shared: Uploaded files and associated metadata
• Privacy Policy: https://www.cloudflare.com/privacypolicy/

5.5 Greip

• Purpose: Email validation and fraud prevention during registration
• Data shared: Email address
• Privacy Policy: https://greip.io/legal-and-security/privacy

We do not share your personal data with any other third parties except:

• When required by law or legal process
• To enforce our Terms of Service
• With your explicit consent

6. Data Storage and Security

We take the security of your personal information seriously and implement industry-standard measures to protect it:

• All passwords are encrypted using industry-standard hashing algorithms before storage
• All data transmitted between your device and our servers is encrypted using HTTPS/TLS
• Authentication tokens automatically expire after a limited time period
• One-time passwords expire quickly and are encrypted before storage
• Session tokens have limited validity and can be revoked at any time
• Database access is strictly restricted and monitored
• File attachments are stored in private cloud storage with time-limited access URLs
• Real-time connections are authenticated before accepting real-time data
• Input is sanitized to prevent common security vulnerabilities
• Rate limiting is enforced to prevent automated attacks

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights (GDPR & CCPA)

Depending on your location, you have the following rights regarding your personal information:

7.1 Right to Access

You can request a copy of all personal data we hold about you.

7.2 Right to Rectification

You can update your account information directly in the app (Click your profile picture → Update Profile).

If you need assistance, contact us at [email protected]

7.3 Right to Erasure (Right to be Forgotten)

You can delete your account at any time from the app settings. Upon deletion:

• Your personal data is immediately removed from our active databases
• Workspaces you own are deleted (or transferred to another owner if specified)
• Your comments and activity history remain visible (attributed to "Deleted User") to preserve workspace integrity
• We may retain certain data if required by law (e.g., billing records for tax compliance)

7.4 Right to Data Portability

You can export your tasks data in CSV format from the app (Settings → Import/Export).

7.5 Right to Restrict Processing

You can request that we limit how we process your personal data.

7.6 Right to Object

You have the right to object to certain types of processing, including:

• Marketing emails (unsubscribe via the link in any email or in app settings)
• Analytics tracking (if enabled in the future, we will provide an opt-out mechanism)

7.7 Right to Withdraw Consent

If we process your data based on consent (e.g., marketing emails, Google Calendar integration), you can withdraw consent at any time without affecting prior processing.

7.8 Right to Lodge a Complaint

If you believe we have mishandled your personal data, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO): https://ico.org.uk

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Data Retention

We retain your personal information only as long as necessary to provide our services and comply with legal obligations:

• Active accounts: Data is retained for as long as your account is active
• Deleted accounts: Personal data is deleted immediately, except where required by law (e.g., billing records retained for 7 years for UK tax compliance)
• Verification codes: Automatically deleted shortly after expiration
• Session tokens: Expire automatically after a limited period or when manually revoked
• Google Calendar cache: Cached events are refreshed periodically and deleted when you disconnect the integration
• File attachments: Deleted when the associated task is deleted
• Temporary uploads: Automatically cleaned up if not confirmed within a reasonable timeframe
• Audit logs: Activity history is retained for workspace integrity but anonymized after account deletion

We do not maintain automated database backups. All deletions are permanent.

9. Children's Privacy

Arca is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected information from a child under 16, please contact us immediately at [email protected], and we will take steps to delete such information.

10. International Data Transfers

Your personal data may be transferred to and processed in countries outside the UK and European Economic Area (EEA), including the United States, where our third-party service providers (Google, Stripe, Cloudflare, Brevo) operate.

These transfers are protected by:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Privacy Shield certification (where applicable)
• Adequacy decisions by the UK Information Commissioner's Office

We ensure that all third-party providers adhere to GDPR and UK GDPR standards.

11. Cookies and Local Storage

Arca is a desktop application that uses local storage to maintain your authenticated session. We do not use tracking cookies or third-party advertising cookies.

Data stored locally on your device includes:

• Authentication credentials (stored securely in encrypted local storage)
• User profile information (name, email, avatar URL)
• Session identifiers
• Application preferences

This data remains on your device and is never shared with third parties. You can clear this data by logging out or uninstalling the application.

12. Marketing Communications

With your consent, we may send you promotional emails about new features, updates, and special offers. You can opt out at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Updating your email preferences in the app (Settings → Notifications)
• Contacting us at [email protected]

Opting out of marketing emails will not affect transactional emails (OTP codes, password resets, workspace invitations), which are necessary for the operation of our services.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. When we make significant changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email or in-app notification
• Request your consent if required by law

We encourage you to review this Privacy Policy periodically. Your continued use of Arca after changes are posted constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal information, please contact us:

• GRE Development Ltd.
• Address: 7 Coronation Road, London, United Kingdom, NW10 7PQ
• Email: [email protected]

We will respond to all requests within 30 days.